Views of a Passionate Tester...

Thursday, March 14, 2013

Once upon a time, not long ago, a developer created his own personal website. To keep the unauthorized users away, he added the login page. Being an internet savvy himself, he always knew how hackers plan their attack. So, instead of displaying direct error message for login fields, he showed a common message as “Username/Password is incorrect. Try again”. This was a smart move from him as now hacker couldn’t know which input was wrong. He showed this message to one of his developer friends and he followed the same. Similarly, it became BEST PRACTICE to display the common error message on the Login page.

The only best thing about BEST PRACTICES is that they are best in some contexts and worst thing is that people have tendency to follow the best. In fact, sometimes they are followed by everyone and hence become common. There can’t be hundred best students in class of hundred. Only one could be best in each subject among the hundred; others could be good, very good, average and poor.

The story said above is not a story, it is reality. The idea to change the error message worked for first developer but it didn’t work for his friend. Why? Let’s see.

The unauthorized user entered the invalid username and password, system displays an error message “The email address or password you entered isn’t correct. Please try again”. Quite good. The user doesn’t know which is incorrect – username, password or both. (This is similar to what first developer did and other followed.)

Then user opened “Forgotten your password?” page and entered the same email id. The system displayed the error message that entered email is not registered with website. Boom. The security provided by the previous error message is violated by this message. Now this unauthorized user knows that this is not the correct user name so he can put his energy to find the correct user name. He has got a direction to move. (In our story, first developer didn’t provide the Forgot Password page but others did. So his solution worked for him but not for others.)

The problem is people are so obsessed of following best practices that context is side-lined in most of the cases. See the below example:

Here, if an unauthorized user enters an invalid Email address – system clearly tells him that account doesn’t exist.

In other case, when user enters correct email and incorrect password, system displays “Email/Password combination is wrong” (BEST PRACTICE). From previous message, it is obvious that only password can be wrong in this case but as I already said that people are obsessed of following the BEST PRACTICES that they miss the tweaks.

There are two important learning from above examples:

The BEST PRACTICES are best in their contexts and might not work for you if context differs. Do what work for you and that will be your “BEST PRACTICE”. Moreover, it doesn’t make sense to me that if everyone is following the same then how it can be called as “BEST PRACTICE”. It should be called as “GENERAL PRACTICE”.

Don’t forget to verify linking between error messages in your application. We have seen in above scenarios that one error message is violating the rule of other. (The linking between Error messages might be new to many and should be practiced.)

If I were testing the same Forgot Password page for the website displayed above, I would ask developer to place a message like “An email will be sent shortly to registered email if it’s valid”.